Bugtraq mailing list archives

Re: Digital Unix 4 protected password database.

From: twp () ROOTSWEB COM (Tim Pierce)
Date: Fri, 12 Mar 1999 18:44:22 -0500


On Wed, Mar 10, 1999 at 05:44:40PM -0500, der Mouse wrote:

I once posted a better algorithm than this [...]... but it never got
adopted, and anyway, MD5 or SHA1 is a much better bet.


Years ago, I did an MD5-based crypt(3) for NetBSD.  I've been using it
ever since.  I believe it is significantly better for several reasons.
One, of course, is that it's nonstandard and hence not vulnerable to
stock crack-alikes...


FreeBSD has used MD5 in its crypt(3) algorithm for several years.  I
believe it was already there in the 2.0 release around 1994.  (It does
give you the option, at install time, of using DES instead.)

The cryptographic benefits are probably still sound, but I would
assume that Crack tools try both MD5 and DES on their dictionaries.
There are enough FreeBSD systems using MD5 on the net to make it worth
the crackers' while.

--
Regards,
Tim Pierce
RootsWeb Genealogical Data Cooperative
system obfuscator and hack-of-all-trades

Current thread:

Re: Digital Unix 4 protected password database. Darren J Moffat - Enterprise Services OS Product Support Group (Mar 10)
- <Possible follow-ups>
- Re: Digital Unix 4 protected password database. der Mouse (Mar 10)
  - New Security Vulnerability in WinNT Alexandre Stervinou (Mar 12)
  - Re: Digital Unix 4 protected password database. Tim Pierce (Mar 12)
- Re: Digital Unix 4 protected password database. Nate Lawson (Mar 12)
  - Re: Digital Unix 4 protected password database. Alec Muffett (Mar 15)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 16)